Enterprise SSO setup

Set up Enterprise SSO (SAML or OIDC) so admins sign in through your identity provider, enforce SSO, and auto-provision (JIT) new teammates.

Written By Robi Rohumaa

Last updated 3 days ago

Overview

Enterprise SSO lets your admins sign in to Featurebase through your company identity provider (IdP), using SAML 2.0 or OpenID Connect (OIDC). You connect your provider once, then choose whether to enforce SSO for every admin and whether new teammates are created automatically on their first SSO login.

This guide covers admin sign-in. To sign your end-users into your Feedback Portal and widgets, see Web portal single sign-on (SSO) setup instead.

Note: Enterprise SSO is available on the Enterprise plan and is switched on by our team first.


Supported identity providers

Enterprise SSO works with any identity provider that supports SAML or OIDC. Supported providers include:

  • Okta

  • Microsoft Entra ID (formerly Azure AD)

  • Google Workspace

  • OneLogin

  • Ping Identity (PingFederate and PingOne)

  • JumpCloud

  • Auth0

  • CyberArk

  • Duo

  • Keycloak

  • Microsoft AD FS

  • Oracle

  • Rippling

  • Salesforce

  • VMware Workspace ONE

  • Cloudflare

  • ADP

  • Login.gov

  • Clever

  • ClassLink

  • CAS

  • LastPass

  • miniOrange

  • NetIQ

  • Shibboleth

  • SimpleSAMLphp

Don't see your provider? You can connect any other SAML or OIDC identity provider with a custom connection. The list of supported providers grows over time, so reach out if you're unsure whether yours is covered.


Before you start

You need:

  • The Enterprise plan, with Enterprise SSO enabled by our team

  • A role with the Manage SSO permission

  • Admin access to your identity provider

  • At least one company domain you can verify

If the page shows that setup needs to be enabled by our team first, contact us from that page and we'll turn it on.

Verify your domain

Featurebase uses verified domains to recognize which email addresses belong to your company. You need at least one verified domain before you can enforce SSO. If your team signs in with more than one email domain, add each of them.

  1. Go to Settings → Access & Security → Single sign-on.

  2. Under Enterprise identity, click Manage domains.

  3. Add your company domain and follow the steps shown in the Featurebase Enterprise Identity Portal.

Connect your identity provider

  1. Go to Settings → Access & Security → Single sign-on.

  2. Under Enterprise identity, next to Identity connection, click Manage identity connection.

  3. Complete the SAML or OIDC setup in the Featurebase Enterprise Identity Portal, then return to Featurebase.

  4. Confirm the Single sign-on row shows Connected.

  5. Test sign-in with a non-owner admin before you enforce SSO.

Make sure your identity provider sends each user's email address. First and last name are used for display and fall back to the email address if they're missing.


How admins sign in with SSO

Once your connection is active, admins sign in from the Featurebase login page:

  1. On the login page, choose Continue with SSO.

  2. Enter your work email.

  3. You're redirected to your identity provider to authenticate, then back to Featurebase.

If SSO is enforced, a non-owner admin who tries to sign in with a password is redirected to your identity provider automatically. Social logins (Google, GitHub, and Discord) are blocked with a message to sign in through SSO instead.


Enforce SSO for admins

Turn on Enforce SSO for admins to require every admin except the workspace owner to sign in through your connection.

Before you can enforce SSO:

  • At least one company domain is verified

  • Your SSO connection is active and you've tested a sign-in

To turn it on, toggle Enforce SSO for admins and type ENFORCE SSO to confirm.

When SSO is enforced:

  • Every non-owner admin must sign in through your identity provider

  • Email, password, and social login stop working for those admins in this workspace

  • Existing non-SSO admin sessions are invalidated immediately, so those admins sign in again through SSO

  • The workspace owner keeps emergency access through their password or a social login


Avoid getting locked out

The workspace owner can always sign in with their password or a social login (Google, GitHub, or Discord), even when SSO is enforced. Treat the owner account as your emergency way back in.

Before you enforce SSO, test a full sign-in with a non-owner admin and confirm the owner can still sign in without SSO.

If your identity provider goes down or the connection breaks, the owner can turn off Enforce SSO for admins to restore password and social login for every admin. There's no separate per-admin bypass, so this is your recovery path.

Auto-provision new members

Turn on Auto-provision new members on SSO login to let approved teammates join the workspace the first time they sign in through SSO. This is also called just-in-time (JIT) provisioning. Set Default role for new SSO members to control the role they get on that first sign-in.

If auto-provisioning is off, only teammates who were already invited can sign in with SSO.

Note: If Directory sync is enabled, its group rules take over a member's role and seat from the first sign-in onward.


FAQs